MUTUAL-RECURSION-PROOF-EXAMPLE

Sometimes one wants to reason about mutually recursive functions.
Although this is possible in ACL2, it can be a bit awkward. This
example is intended to give some ideas about how one can go about
such proofs.

We begin by defining two mutually recursive functions: one that
collects the variables from a term, the other that collects the
variables from a list of terms. We actually imagine the term
argument to be a pseudo-termp; see pseudo-termp.

The idea of the following function is that it suggests a proof by
induction in two cases, according to the top-level if structure of
the body. In one case, (atom x) is true, and the theorem to be
proved should be proved under no additional hypotheses except for
(atom x). In the other case, (not (atom x)) is assumed together
with three instances of the theorem to be proved, one for each
recursive call in this case. So, one instance substitutes (car x)
for x; one substitutes (cdr x) for x; and the third substitutes
(cdr x) for x and (free-vars1 (car x) ans) for ans. If you think
about how you would go about a hand proof of the theorem to follow,
you'll come up with a similar scheme.

We now state the theorem as a conditional, so that it can be proved
nicely using the induction scheme that we have just coded. The
prover will not store an ifterm as a rewrite rule, but that's OK
(as long as we tell it not to try), because we're going to derive
the corollaries of interest later and make them into rewrite
rules.